Wednesday, April 17, 2024

Microsoft is great, but not enough for email security

Share

Microsoft 365 is the default software in SMEs, and understandably. The software offers a comprehensive set of productivity tools; flexible, scalable, and affordable licensing options, and compliance and security capabilities. However, given the ever-growing and persistent threat of cyberattacks, for email security, the standard security safeguards offered are insufficient.

Analysis of over 1 billion emails worldwide shows that emails are the preferred vehicle of cybercriminals. Email-delivered malware remains a favorite, increasing by 276 percent between January and December of last year. Additionally, attachments are growing as a threat. In Q4 of 2023, EML attachments increased 10-fold. Criminals are sending malicious payloads via EML files because they get overlooked when attached to the actual phishing email, which comes out clean.

In light of this, SMEs need to layer on advanced email threat protection on top of the standard security offered by Microsoft to overcome some of the inherent limitations in the software to help combat phishing attacks, spoofing, and security breaches. Today, not only is Microsoft among the most spoofed URLs, but Microsoft Office remains among the top targets for cybercriminals, with daily attacks increasing by 53 percent in 2023.

Let’s look at where some of the critical email security limitations lie in Microsoft and what corrective techniques are imperative for protection.

Multi-level security packages

Microsoft offers various security packages for Microsoft 365 and Office 365, ranging from E1 and E3 to E5, with E5 being the most comprehensive yet expensive option. Enterprises often adopt a mix of these packages based on employees’ roles, seeking to balance functionality with expenditure.

However, this diverse approach to security provisioning can introduce vulnerabilities. For example, higher-level subscriptions, such as E5, provide advanced security features crucial for VIP users or those handling sensitive data. Conversely, lower-tier licenses may lack critical protections against impersonation and zero-day threats. Criminals keenly exploit these gaps, knowing that enterprises prioritize cost savings through license selection.

Moreover, Microsoft imposes a tiered subscription model, such as 300 users on the Business Premium plan, which may also inadvertently lead to ill-advised compromises on security in the pursuit of cost savings.

Lower-tier subscriptions may lack advanced threat visibility tools, like advanced analytics and deep issue investigation capabilities. A mix-and-match approach can lead to gaps in visibility which can impact crucial investigation and response times.

Misconfigurations

Misconfigurations easily creep into the Microsoft portal. The Microsoft security portal is a hub of data from everything from web apps, databases, and virtual machines to endpoints, and more. From an email security standpoint, correctly configuring the portal — and crucially, maintaining that configuration — isn’t easy. Take Link Protection, aka SafeLinks. This functionality needs to be enabled in multiple places across the Microsoft portal. However, as Microsoft routinely updates the platform, the settings can be altered,  moved to different locations, or even disabled by default. Aside from the security risk such scenarios pose as the team may not always instantly know that the functionality is disabled, it’s an unnecessarily time-consuming activity for the security team to identify the gaps and reset. Deploying a dedicated advanced threat protection security platform to enhance Microsoft 365 becomes necessary for email security.  

Static security intelligence

Microsoft uses third-party security intelligence feeds, which means that by nature, they are static. Typically, there is a significant delay between the company’s intelligence feed and security on the platform being updated.  This is because Microsoft is complex, and updates need to be deployed across the platform. Also, email security is but one element of the overall security capability, so may not necessarily be addressed as a priority.  A threat left untended for even one or two days is enough to cause a successful zero-day attack.

To protect against this scenario, Link Isolation is a technique to help protect against unknown zero-day threats. It renders malicious URLs in emails and their associated web pages harmless. Similarly, to check for malicious attachments, sandboxing capability is a must, where the suspicious file is isolated in a ‘sandbox’ — i.e., a virtual machine in the cloud. This allows the security team to investigate the potential threat, understand the attack pattern, and gain deep insight into the incident, such as what keys have been touched, when the process started, what network connections have been made, and so on. By adopting this approach, enterprises have live, real-time monitoring and intelligence, in turn enabling pre-emptive action.

‘In the moment’ user training

No matter how advanced security technology gets, user security risk awareness and vigilance are indispensable. More than routine, periodic security training, the ability to engage with users ‘in the moment’ is more effective. Immediately informing a user why an email/link/attachment has been blocked and the signs that display why the item might be malicious, is more likely to stick in their memory.

Email security is a small part of Microsoft’s overall security

All this is not to say that Microsoft isn’t focused on security. Microsoft undoubtedly is a great system, but it isn’t a dedicated security provider, and definitely not a specialist email security provider. Historically, the company’s efforts have focused on infrastructure, operating systems, exchange, and such. They have of course segued into security but primarily to protect the cloud infrastructure, of which email security is a significantly small part. This is why, while they provide the above-mentioned techniques like Link Isolation (as SafeLinks) and Sandboxing (as SafeAttachments), they are offered in a limited capacity to those enterprises who can afford to take the costliest license. Even then, the approach doesn’t go deep enough to truly make a material difference.

So, what can SMEs do? While many SMEs may not be able to afford the top license package for the whole organization, or hire IT resources to help address the limitations in-house, they can utilize the services of third-party security services providers, who are experts in email security. It is proven to be the most cost-effective and reliable approach.

Image Credit: Rafael Henrique/Dreamstime.com

Oliver Paterson is Director of Product Management, VIPRE Security Group. Oliver helps enterprises and partners understand the complex security landscape and protect themselves from the most advanced threats. He leads product development to devise security solutions that can bridge the gaps in clients’ current infrastructure.

Read more

Local News